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@ Control of access to a networked system. 

(g) The invention relates to networked computer 
systems, and particularly to temporary restric- 
tion of access to such systems. A computer 
system (2) connectable over a network to a 
plurality of users comprises normal access con- 
trol means for restricting user access to the 
system (2), the oontrol means comprising a user 
authentication procedure (44, 46) in which at 
logon the user's identity is compared with a first 
d^nition of authorised users ; system-wide 
profile means referenced (72) by all users of the 
system (2) at logon ; and temporary access 
control facilitation means for temporarily pre- 
venting access to the system (2) by a nomnally 
authorised user or users. The facilitation means 
allow a privileged user of the system (2) to 
create a second definition of temporarily un- 
authorised users, which is referenced by the 
system-wide profile means at logon. 
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The Invention relates to networked computer sys- 
tems, and particularly to temporary restriction of ac- 
cess to such systems. 

In a computer network, a single system may pro- 
vide resources to a plurality of users connected to the 
system over a network. On occasions the system may 
become so overloaded that a particular user or users 
cannot operate effectively, and It may be necessary 
to restrict access to the system resources by some or 
all users for a period of time. 

In most multiuser systems, a file or files listing 
valid usernames, or valid combinations of usernames 
and passwords Is kept, and a user gains access to the 
system by supplying such a name and password 
when he togs on. 

One simple prior art method of temporarily pre- 
venting a user from accessing system resources Is to 
log the user off (if necessary) and reset his logon 
password, preventing him from regaining access. 
However, this is generally undesirable for reasons of 
administration and security. Many systems would not 
allow the user's original password to be reissued, so 
that the user would have to be notified of the new 
password to regain access. 

Another prior art method of preventing a user 
from logging on is to remove his username from the 
file listing authorised users. (This is similar to the 
standard method of deleting a user permanently from 
a system, in which in addition a user's data files, if 
any, would be deleted to release system resources). 
Normal access would be restored by reinstating the 
user's name in the list of authorised users. A disad- 
vantage of this method is the possibility of data loss, 
especially if the file containing usernames contains 
other critical data which is also erased. 

To facilitate reinstating access in the above meth- 
od, the file listing authorised users could be backed 
up (i.e. copied to a secure location) prior to deleting 
any users' entries In the active copy checked at lo- 
gon. To restore the system to its original state, the 
backed-up file would be copied back to Its original lo- 
cation. However, if the original copy were lost, it might 
be difficult to reinstate access. It is clearly preferable 
not to have to alter the files containing usernames or 
passwords. 

For example, in IBM's AiX operating system, 
which is a type of UNIX operating system, a file called 
"/etc/passwd" contains the listing of usernames, and 
references to a further file containing encrypted 
passwords. Loss of this file prevents ANY further lo- 
gon to the system; recovery entails a reinstallation of 
the operating system. W.R. Stevens' book "UNIX 
Network Programming", Prentice-Hall 1990, may be 
referred to for further details of the UNIX operating 
system. 

This method also has other deficiencies. For ex- 
ample, during the period of access restriction, the ad- 
dition of a new user or permanent deletion of an ex- 



isting user, would frequently need to be reflected in 
both the backed-up and the active versions of the sys- 
tem file. Further, on attempting to log on, a normally 
authorised user temporarily denied access by this 

5 method would receive the same 'invalid logon' mes- 
sage, if any. which is presented to a permanently un- 
authorised user. 

Some systems allow access to certain files rather 
than to a logon session to be restricted. For example, 

to. ... in AIX a user could be temporarily prevented from ac- 
cessing his own data files (his "home directory"). This 
could be done by changing the "access mode" for the 
directory, and restoring it at a later time. In AIX, this 
would necessarily remove access for any user to that 

15 data, and might prevent a second user from executing 
his desired tasks, if he happened to be relying on ac- 
cess to the first user's directory. Moreover, denying 
data access does not necessarily achieve the desired 
end, as the first user could still execute programs 

20 stored elsewhere, and thus take up processor time. 
Again, the message to the first user on attempting to 
access his files would be unhelpful, as it would merely 
inform him that he was unable to access his files, not 
that a temporary access restriction was in force. 

25 This invention seeks to provide a system in which 

access can temporarily be restricted, for example to 
allow the system owner to complete a resource-inten- 
sive task, and can easily be reinstated, and which mit- 
igates the disadvantages of prior art solutions. 

30 According to the invention, this is accomplished 

by a computer system connectable over a network to 
a plurality of users, the system comprising: 

normal access control means for restricting 
user access to the system, the control means corr>- 

35 prising a user authentication procedure in which at lo- 
gon the user's Identity Is compared with a first def ini- 
tk>n of authorised users; 

system-wide profile means referenced by all 
users of the system at logon; and 

40 temporary access control facilitation means 

for temporarily preventing access to the system by a 
normally authorised user or users, the facilitation 
means allowing a privileged user of the system to cre- 
ate a second definition of temporarily unauthorised 

45 users, which second definition is referenced by the 
system-wide profile means at logon. 

This invention enables a privileged user, such as 
a system owner, to control user access to the system, 
so that he can restrict access as and when required. 

50 The temporary access control facilitation means, 
such as an access control program executable only 
by a privileged user, temporarily prevents users nor- 
mally able to access the system, but currently logged 
off, from gaining access. Temporarily unauthorised 

55 users already logged on to the system could also be 
logged off, possibly after a grace period or warning. 
Means for logging off current users are not however 
essential to the invention. A key characteristic which 
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distinguishes this invention from the prior art is that 
a definition of temporarily unauthorised users sepa- 
rate from the definition of normally authorised users 
is provided, so that user account information need not 
be modified. 

The invention allows a privileged user on a tem- 
porary basis either to partially restrict access, or to 
prevent access by all other users, allowing him to use 
the full performance capability and resources of the 
system. 

This solution allows for easier restoration of ac- 
cess to the system, which coutd be automatic at a 
specified time. Furthermore, users could be provided 
with appropriate information such as why they are be- 
ing denied access, by whom or for how long. 

A preferred embodiment of the invention will now 
be described, in relation to a UNIX system. UNIX is a 
multiuser, multitasking operating system, whose pop- 
ularity stems from its powerful and flexible user inter- 
faces, and from its standardisation across many ven- 
dors* platforms. IBM's version of UNIX Is AIX. but be- 
cause of the standardisation of UNIX, many details of 
the following description will apply equally to other 
UNIX versions. The preferred embodiment will be de- 
scribed with reference to the accompanying draw- 
ings, in which: 

Fig. 1 shows an example of a very simple com- 
puter network; 

Fig. 2 is an example of an AIX file containing 
users' account data; 

Fig. 3 is a schematic of the AIX logon sequence, 
and 

Fig.4 is a schematic of the method of this inven- 
tion. 

Fig. 1 is an illustration of a small and very simple 
computer network, in which four systems 2, 4, 6. 8 are 
connected together by means of cabling 10. The sys- 
tems are shown as being connected together in a ring 
configuration, although other configurations are 
equally possible and widely known, and other data 
transmission means might replace physical cabling, 
for example to allow connection to more distant loca- 
tions. Each system 2, 4, 6, 8 provides for one or pos- 
sibly more dumb tenminals 12. 14, 16, 18, 20, 22, 24 
to be attached. A user enters data at a terminal, typ- 
ically including username and password to gain ac- 
cess to resources on the network. In the example 
shown, three systems 2, 4, 6 are shown as IBM RISC 
System/8000 series systems, and the fourth system 
8 is shown as an IBM PS/2 series system; these sys- 
tems are commonly used to run IBM's AIX operating 
system. (AIX, RISC System/6000 and PS/2 are trade- 
marks of International Business Machines Corpora- 
tion). The RISC System/6000 systems are relatively 
powerful and might be used by several users. For ex- 
ample, one such system 2 has three directly attached 
(or "local") terminals 12, 14, 16 and coutd be set up 
to allow further use of its resources via the other ("re- 



mote") tenminals 18. 20, 22, 24 connected to it via the 
network. The PS/2 system 8 would typically be less 
powerful and might be used only by a directly attach- 
ed user at terminal 24, who could be authorised to use 

5 other resources on the network, and might even use 
the PS/2 system 8 primarily to handle communica- 
tions with remote resources. For the purposes of this 
invention there will be no need to distinguish between 
local and remote users of a system, so that "connec- 

10' tion over a network" will be taken to encompass both 
types of connection. 

UNIX systems in general allow multiple users 
connected to a system over a network to logon to the 
system to use its resources. On occasions this may 

15 cause the system to become so overloaded that a 
particular user or users, such as a system owner (who 
might frequently be a local user but could equally be 
a remote user), cannot operate effectively. This in- 
ability to limit demand on the system resources may 

20 be particularly troublesome when the owner wishes 
to use the system for a resource intensive task, or to 
accurately measure performance characteristics of a 
task. 

There is therefore a need for a privileged user. 

25 such as a system owner, to be able to limit demand 
on the system resources for a period of time. 

All UNIX systems have the concept of a "super- 
user". (The su peruser is also referred to as having 
"superuser authority"). The superuser is the privi- 

30 leged user in this embodiment A superuser has 
greater authority than normal users, In that he carl ac- 
cess resources (files, for example) which are owned 
by another user. He can add users to the system, de- 
lete users from the system, and change the access 

35 rights of any other user. He can also terminate "proc- 
esses" (running programs) owned by any user, by us- 
ing the UNIX "kill" command, whereas normal users 
can only kill their own processes. 

To aid in understanding the preferred embodi- 

40 ment, some relevant characteristics of UNIX systems 
will now be described. 

When it is desired to add a new user to a UNIX 
system, a "user account" is created. The user account 
can be considered to be made up of two parts: 

45 firstly In all UNIX systems there is a file, in AIX 

entitled /etc/passwd 30. which defines user accounts 
and their characteristics, an entry in which enables 
the user to be granted access to the system following 
authenticatton by means of a password; secondly the 

so user's home directory in which the user may store his 
own programs and data. 

Fig. 2 shows an example /etc/passwd file 30, for 
an AIX system with just 3 users, Mike, Syd and Fred. 
The /etc/passwd file 30 contains 1 record for each 

65 user, the structure of which is as follows: 

A first field 31 gives a unique user's identifier or 
name, such as 'mike', which name the user supplies 
at logon to Identify himself to the system. A second 
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field 32 is for user authentication at logon. In IBM's 
AIX version 3, this field contains an exclamation 
mark, indicating that another (more secure) file con- 
tains the encrypted password for the user. In some 
other versions of UNIX and earlier versions of AIX. 
this field actually contains an encrypted version of the 
password. The exact nature of the authentication 
method Is irrelevant to this invention, and a number 
of other alternatives are possible. The third field 33 
contains a user number, which further identifies a 
user. This Is often (but not necessarily) unique to a 
user. In AIX a su peruser is denoted by a user number 
of zero, and there may be more than one superuser. 
The fourth field 34 is a number which identifies a 
group to which the user belongs. Typically, several 
users might have the same entry in this field, which 
could be for example a department number. The fifth 
field 35 Is a text field, the contents of which are non- 
essential; it might be used by a system administrator 
to give the full name of the user, for example. The 
sixth field 36 specifies the user's home directory, 
which is the directory in which the user will find him- 
self at the successful completion of logon. The sev- 
enth and last field 37 contains the initial program or 
"shell". The user's initial program is run when the user 
logs on, after the user's environment has been initial- 
ised and the user has been placed in his home direc- 
tory. (In UNIX, a shell is a command interpreter, which 
must be running for a user to have an interactive logon 
session). More information about the user's initial pro- 
gram will be given in the explanation of the logon pro- 
cedure. 

Also, in all UNIX systems there is an initialisation 
procedure which is run during each logon session for 
any user of the system, and may therefore be descri- 
bed as "system-wide". In the IBM AIX operating sys- 
tem this program is stored in a file called /etc/profile. 
This file is provided for a privileged user such as a 
system owner or administrator to specify additional 
functions to be provided to all users at logon. Acciden- 
tal loss of or damage to this file during the course of 
modifying it would not usually have disastrous conse- 
quences (it would not prevent logon, for example). 
However, it is usually undesirable for many users to 
have authority to access this file, since by modifying 
it they could cause other users' data to be corrupted. 
One must normally be a superuser or have superuser 
authority to modify this system-wide profile. 

In the preferred embodiment of this invention, 
code is added to the system-wide profile which caus- 
es temporarily unauthorised users to be denied ac- 
cess when they attempt to logon, and allows for the 
display of a message to the user giving information 
about the access restriction. 

The UNIX logon sequence 

Some further description of the UNIX logon se- 



quence will be helpful in understanding the preferred 
embodiment of the Invention. This description will be 
based on the AIX logon sequence, with reference to 
Fig. 3 which is a schematic thereof. 

5 A terminal 12, 14, 16 directly connected to an ac- 

tive UNIX system 2 will normally have a login prompt, 
or in the case of a remote terminal 18. 20. 22, 24, a 
session can be opened with the remote system 2 us- 
ing a commonly understood protocol, and a login 

10 prompt obtained. In AIX, when a user enters a string 
at the login prompt, the "login" command 40 is in- 
voked, which performs the steps of checking 42 ac- 
count details, setting up 50 the user's environment, 
placing 60 the user in his home directory, starting 82 

15 the user's initial program, running profiles 70, and 
providing 80 a prompt at which the user may enter 
commands. These steps will now be described in 
more detail. 

The step 42 of checking account details compris- 

20 es the steps of: validating 44 the user's account, in 
which the /etc/passwd file 30 is referenced to check 
that a user name 31 exists matching the username 
supplied by the user who is attempting to gain access; 
authenticating 46 the user, in which the user's identity 

25 is verified by comparing the encrypted true password 
32 corresponding to the validated username 31 with 
an encryption of the password supplied by the user 
who is attempting to gain access, and establishing 48 
credentials, which are stored in a user database and 

30 define the user's accountability and access rights to 
files on the system 2. 

This step 42 of checking account details is there- 
fore the step at which it is normally determined wheth- 
er or not a user is to be granted access to the system 

35 2 and allowed to proceed with the later steps in the lo- 
gon sequence. As will be discussed later, in the pre- 
ferred embodiment of the present invention a user 
may be denied access at a later stage. 

The step 50 of setting up the user's environment 

40 Is not particularly relevant to the invention. Briefly, it 
comprises initialising the user environment from the 
user database 52 and from a configuration file 
called /etc/environment 54. This provides the user 
with his desired environment, specified by a number 

45 of system variables. For example, one variable deter- 
mines the user's language. 

The user is then placed 60 in the directory 36 
which is specified in the /etc/passwd file 30 as his 
home directory, from within which the user's initial 

so program 37, again specified in the /etc/passwd file 
30. is run 62. In AIX the initial program 37 is restricted 
to being one of those listed under "shells" in the 
file /etc/security/login.cfg. The Initial program 37 pro- 
vides the user with a command line interface, which 

55 Interprets his entered commands. 

Next, programs referred to as profiles are run 70. 
First, the systenvwide profile /etc/profile, previously 
mentioned, is run 72. If there is a file called profile in 
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the user's home directory 36. this is run 74 subse- 
quently. This file contains functions which the user 
himself can specify and which he wishes to be pro- 
vided during each logon. 

Finally, a "shell prompr is provided 80. at which 5 
the user may enter commands. This completes the 
description of the AiX logon sequence of Fig. 3. 

Temporary restriction of access 

10 

Having provided the necessary background, the 
method of the preferred embodiment of the invention 
will now be described In detail for an AIX system, with 
reference to the schematic in Fig. 4. 

Preferably, the steps would be executed under is 
the control of an access control program, which would 
run on the system to which access was to be restrict- 
ed and would provide for a privileged user to enter the 
necessary data, for example at a command line or 
prompt as described below, on a menu screen or 20 
screens, by the use of a mouse or other suitable 
means. 

The method comprises the following steps; 

1) Invoke 81 the access control program. It Is as- 
sumed here that the access control program is 25 
started by entering a command having a number 

of parameters or arguments. 

2) Check 82 that the user of this program is priv- 
ileged to do so, and exit 83 otherwise. 

In UNIX terms the privileged user must 30 
have superuser authority. In AIX, this is the case 
if the unique user identification number 33 is 
zero. It is possible for more than one user to have 
superuser authority. 

3) Sort out 84 the command line arguments sup- 3S 
plied, and set parameters indicating: 

a) User(s) to be permitted access 

b) Duration of access restriction, which could 
be indefinite 

c) Grace period for users to complete work 40 

d) Whether access is to be restricted or re> 
stored and set defaults for parameters not ex- 
plicitly supplied, or for parameters to be over- 
ridden. For example, defaults ensuring a mini- 
mum grace period, or maximum duration of 45 
access restriction may be desirable. 

4) Check d) to establish 85 whether access Is to 
be restricted, or restored following a previous ac- 
cess restrictk>n. The case in which access is to be 
restored will be discussed later. so 

5) Check c) to establish 86 whether a grace per- 
iod is defined and if so 87 issue a warning to 
users notifying them of the impending access re- 
striction and wait for the grace period. 

The notification could Include any useful 55 
information available to the program or supplied 
by the privileged user, such as the name of the 
privileged user who initiated the access restric- 



tion, the users affected, the grace period, the dur- 
ation of the access restriction, or the reason for 
the restriction. 

6) Make 88 a backup copy of the systenvwide 
profile (/etc/profile). 

7) Check a) and create 89 a definition of tempor- 
arily unauthorised users, by any appropriate 
method. 

For example, a list of temporarily unautho- 

rised.'or temporarily authorised usernames could 

be constructed (the latter could even include in- 
valki usernames, since the account validating 
step 44 of the logon sequence would ensure 
these were not admitted), or the user number 33 
could be required to be within a specified interval. 
The privileged user executing this program would 
always be included! 

8) Modify 90 the systenvwide profile /etc/profile. 

This may Involve the addition of code 
to /etc/profile, which would effect the steps of 
checking whether a user logging on is temporarily 
unauthorised according to the definition, and if 
so. displaying a message and logging him off, 
(using the 'Tdll" command explained in the next 
step). Obviously, /etc/profile could be perma- 
nently adapted to search for such a definition, 
which might be vacuous, or might not necessarily 
exist. 

Since the system-wide profile is refer- 
enced by each and every user at logon, such a 
modification prevents any temporarily unautho- 
rised user currently logged off the system from 
gaining access. 

9) Log off 91 temporarily unauthorised users al- 
ready logged on to the system. 

In AIX a user may have one or more "proc- 
esses" or programs running simultaneously, 
each of which has a process identification num- 
ber (PID) which is associated with the user's 
name 31 and number 33. Logging off the user in- 
volves terminating all his processes. A "ps" conv 
mand lists existing processes and their associat- 
ed usernames 31 and numbers 33. Thus proc- 
esses owned by users defined as temporarily un- 
authorised may be identified; terminatton is ac- 
complished by passing the PIDs to the "kill" com- 
mand. As previously mentioned, only a user with 
superuser authority can kill other users' process- 
es. 

10) Check b) to establish 92 whether a definite 
duration was specified for the access restriction, 
if a definite duration is specified, submit 94 a 
batch job to restore access at the appropriate 
time (using the AIX "at" command), and then exit 
95 the access control program. If the duration is 
indefinite, exit 93 the access control program 
without submitting a batch job. 
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Restoration of access 

To restore access to the system following a tem- 
porary restriction, it is necessary to ensure that the 
system-wide profile no longer causes access to be 
denied to normally authorised users attempting to lo- 
gon. This will also ensure users logged off by the ac- 
cess control program are able to regain access. 

Restoration is most easily done by reversing the 
.modifications 90 to the system-wide profile, by re- 
placing the modified profile with the backup copy pre- 
viously made 88. Alternatively, the definition of tem- 
porarily unauthorised users could be modified or de- 
leted, or the system-wide profile could be prevented 
from accessing the definition. If desired, access could 
be partially restored by modifying the definition to 
specify a smaller set of temporarily unauthorised 
users. 

In this embodiment the access control program 
can be invoked 81 again by the privileged user with a 
"restore" parameter and will replace 96 the modified 
system-wide profile with the clear backup copy. If a 
definite time was specified for the restoration of ac- 
cess, it is not necessary for the privileged user to in- 
tervene again; the access control program submits 
94 a batch job to automatically replace the system-wi- 
de profile at the specified time. 

It may be noticed that a user could also be denied 
access by replacing his initial program 37 by a pro- 
gram logging him off (which would have to be listed 
in /etc/security/login.cfg). This is not considered de- 
sirable, as the user's initial program is usually not sys- 
tem-wide, and the method would involve modifying 
the critical /etc/passwd file, or replacing the contents 
of eg. /bin/ksh with the program logging him off. It 
would however allow a more helpful message to be 
given. 

Although the preferred embodiment described 
uses an access control program to perform the nec- 
essary operations, other alternatives could be envis- 
aged by a person skilled in the art. It would, for exam- 
ple, be possible to use separate programs to restrict 
and restore access, or indeed for the privileged user 
to manually perform some of the operations. Other al- 
ternatives might include replacing the single defini- 
tion of temporarily unauthorised users with two differ- 
ent definitions, one for users currently logged on and 
another for users already logged off. 

Also, a separate systenrvwide profile could be 
provided solely for temporary access restriction, rath- 
er than incorporating the functions in a larger profile, 
and the profile could if desired precede the normal 
access control procedure. 

Further, although the preferred embodiment has 
been described In relation to a UNIX system, tempor- 
ary access control means could be provided in any 
system in which user access Is normally restricted by 
access control means referencing a definition of nor- 



mally authorised users, and in which at least all users 
satisfying the normal access control means could re- 
fer to a shared or common profile at logon. 

5 

Claims 

1. A computer system (2) connectable over a net- 
work to a plurality of users, the system (2) conv 

10 prising: 

normal access control means for restrict- 
ing user access to the system (2), the control 
means comprising a user authenticatton proce- 
dure (44, 46) in which at logon the user's identity 

15 is compared with a first definition of authorised 

users; 

system-wide profile nneans referenced 
(72) by all users of the system (2) at logon; and 
temporary access control facilitation 

20 means for temporarily preventing access to the 

system (2) by a normally authorised user or 
users, the facilitation means allowing a privileged 
user of the system (2) to create a second defini- 
tion of temporarily unauthorised users, which 

25 second definition is referenced by the systenrvwi- 

de profile means at logon. 

2. A system as claimed in claim 1, wherein the fa- 
cilitation means is adapted to modify (90) the sys- 

30 tem-wlde profile to cause it to reference the sec- 

ond definition of temporarily unauthorised users. 

3. A system as claimed in claim 1 or daim 2, where- 
in the facilitation means causes the systenvwide 

35 profile to provide information regarding the tem- 

porary access restriction to a user temporarily 
denied access. 

4. A system as claimed in any one of the preceding 
40 claims, wherein the facilitation means includes 

means for logging off (91) users already logged 
on to the system (2) who are temporarily unautho- 
rised according to the second definition. 

45 5. A system as claimed In claim 4, wherein the fa- 
cilitation means is adapted to define a grace per- 
iod and to issue (87) a warning to users already 
logged on to the system (2) that system access 
will be restricted on expiry of the grace period. 

so 

6. A system as claimed in any one of the preceding 
claims, wherein the facilitation means is operable 
to automatically reinstate (94) access to some or 
all temporarily unauthorised users at a specified 

55 time. 

7. A system as claimed in any one of the preceding 
claims, in which the system is a UNIX system. 
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8. A method of temporarily preventing access to a 
system (2) connectable over a network to a plur- 
ality of users and having normal access control 
means for restricting user access to the system 
(2) comprising a user authentication procedure 5 
(44. 46) In which at logon the user's identity Is 
compared to a first definition of authorised users 
and further having system-wide profile means 
referenced (72) by all users of the system (2) at 
logon," the method comprising the steps of: io 

referencing a second definition of tempor- 
arily unauthorised users from the system-wide 
profile means; and 

denying access to a user who is temporar- 
ily unauthorised according to the second def ini- is 
tlon. 
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